Attacks that use patching processes and software updates have evolved a long way from the simple fake "flash update" exploits.  

Today attackers are focusing on exploiting software and service providers as a means to reach their targets.  That means that the activity that would normally expose the malicious actor by detecting things like DDoS attacks, failed logins, port scans, etc. happen on a network you don't monitor.  

As these attackers find more creative ways to get into your organization, the more important it is to detect their actions and limit their ability to move laterally on your network.